b'Audit Report 97-01\xc2\xa0 -\xc2\xa0 Table of Contents\nDRUG ENFORCEMENT ADMINISTRATION\'S\nTHIRD PARTY PAYMENT SYSTEM\nAudit Report 97-01, (11/96)\nTABLE OF CONTENTS\nAUDIT RESULTS\nFINDING AND RECOMMENDATIONS\nMANAGEMENT CONTROLS SHOULD BE STRENGTHENED\nGuidance\nBank Reconciliations\nPassword Security\nSecurity of Check Stock\nVoided Checks\nConclusion\nRecommendations\nSTATEMENT OF COMPLIANCE WITH LAWS AND REGULATIONS\nAPPENDIX I - AUDIT SCOPE AND METHODOLOGY\nAPPENDIX II - MANAGEMENT CONTROL ERRORS\nTable1\nTable 2\nTable 3\nTable 4\nAUDIT RESULTS\nThird party payments are an alternative payment method for cash and an effective tool\nfor reducing cash held by federal agencies. A third party payment is a negotiable\ninstrument which does not immediately expend funds from the U.S. Treasury when issued.\nThird party payments are issued for imprest fund-type expenses, travel reimbursements,\nsmall purchases, and investigative expenses. The limit for imprest fund-type expenses and\ntravel reimbursements is $2,500, and for small purchases and investigative expenses is\n$5,000. Funds paid to the payee are provided by the contracting bank, and Treasury funds\nare not disbursed until payment is made to the contracting bank for properly honored third\nparty payments.\nMellon Bank processes third party payments under a Department of Justice contract in\nwhich the Drug Enforcement Administration (DEA) has participated since May 1990. During FY\n1995, the DEA processed more than $30 million in third party payments at 25 sites. The DEA\nplans to implement the third party payment system at 7 additional sites.\nOur review of 100 sampled third party payments identified the following weaknesses: (1)\nsupporting documents were missing for 20 payments, (2) expenses were not authorized by the\nDEA Third Party Draft Payment System Policies and Procedures Manual and the Department of\nJustice Third Party Payment Policies and Procedures Handbook for 18 payments, (3)\nsupporting documents were not signed by an approving official for 8 payments, and (4)\nvoucher packages were not marked "PAID" for 91 payments. Our review of bank\nreconciliations at DEA Headquarters identified differences that were not identified and\nfollowed up in a timely manner. Our review of third party payment operations at the field\noffices identified shared passwords, unsecured blank check stock, missing voided checks,\nand manually voided checks recorded in the Financial Management Information System (FMIS)\nas issued or cleared. Our findings corroborated the results of office-by-office compliance\nreviews performed by the DEA\'s Office of Finance.\nIn our judgment, the third party payment system can be an effective method to make\ndisbursements for imprest fund-type expenses, travel reimbursements, small purchases, and\ninvestigative expenses. However, the weaknesses we identified, when taken as a whole,\nincrease the risk of waste, unauthorized use, or theft not being detected in a timely\nmanner. To reduce this risk, DEA managers need to: (1) reinforce requirements for\nsupporting documents, authorized expenses, approvals, and stamping voucher packages\n"PAID," (2) streamline bank reconciliations by incorporating the monthly\nreconciliations into the daily reconciliations, and eliminating the monthly\nreconciliations, (3) ensure bank reconciliations identify all differences and are timely\ncompleted, (4) ensure each draft technician has a unique user identification (USERID) and\npassword, (5) ensure blank check stock is secured from unauthorized access, and (6) ensure\nvoided checks are marked "VOID" and recorded in FMIS.\nPrior to the issuance of this report, we discussed and reached agreement with DEA\nmanagement on the finding and recommendations. The report discusses conditions found, our\nrecommendations, and actions necessary for final closure. These matters are discussed in\nthe Finding and Recommendations section of the report. Our audit scope and methodology are\naddressed in Appendix I.\nFINDING AND RECOMMENDATIONS\nMANAGEMENT CONTROLS SHOULD BE STRENGTHENED\nIn our judgment, the weaknesses we identified, taken as a whole, increase the risk of\nwaste, unauthorized use, or theft not being detected in a timely manner. To reduce this\nrisk, DEA managers should improve management controls to safeguard third party checks. We\nnoted matters involving the management control structure and its operation that we did not\nconsider significant enough to report, but that we communicated separately to DEA\nmanagers. The controls we believe need improvement are discussed below.\nGuidance\nGuidance for the operation of DEA\'s third party payment system is contained in the DEA\nThird Party Draft Payment System Policies and Procedures Manual (DEA Manual) and the\nDepartment of Justice Third Party Draft Payment System Policies and Procedures Handbook\n(JMD Handbook). We worked with DEA managers to determine which controls in the DEA Manual\nand JMD Handbook were critical. We identified eight controls that should be working\neffectively to safeguard third party payments. We then evaluated the effectiveness of the\neight controls using a statistically valid sample of third party payments. We determined\nif: (1) voucher packages included all required supporting documents, (2) expenses were\nauthorized, (3) supporting documents were signed by approving officials, (4) checks were\nwithin allowable dollar limits, (5) information on checks matched supporting documents,\n(6) voucher packages were stamped "PAID," (7) checks were computer generated,\nand (8) signatures on checks matched signature cards and payees and check amounts on\nchecks matched copies of checks.\nDEA\'s third party payments are processed through the JMD\'s FMIS. From the FMIS, we\nidentified the universe of third party payments issued during the period October 1, 1994\nthrough September 30, 1995. The universe included third party payments issued for\nimprest-fund type expenses, travel reimbursements, small purchases, and investigative\nexpenses. From the universe, we selected a stratified statistical sample of 100 payments\nvalued at $45,022 from a universe of 69,336 payments valued at $30,159,429.\nBased on our testing, we are 95 percent confident that the combined error rate for all\neight controls was 96 percent, with one to four errors per payment. Four payments had no\nerrors, 60 payments had one error, 26 payments had two errors, 8 payments had three\nerrors, and 2 payments had four errors. See Appendix II for a matrix of control errors for\neach sampled third party payment.\nThe error rate for four of eight controls tested was at or less than 5 percent. The\nfour controls were: (1) expense limits; (2) matching document information; (3) review of\ncheck; and (4) draft disbursing officer signature, payee, and check amounts.\nA summary of the four remaining controls follows:\nSupporting Documents. Eighty of 100 third party payments were supported by\nrequired documents; the remaining 20 payments were not. Based on our testing, we estimate\nthat 13,870 payments with a value of about $2,257,911 did not include at least one of the\nrequired supporting documents. See page 15 for a list of required supporting documents.\nThe requirements for supporting documents are designed to ensure expenses are\nlegitimate and properly documented. The payments that did not include all required\nsupporting documentation were for: (1) office supplies, (2) travel, (3) room rental, (4)\ndata base service, (5) radio equipment rental, (6) vehicle maintenance and repair, (7)\nequipment parts and repair, (8) honorarium, (9) bottled water, and (10) fuel.\nAuthorized Expenses. Eighty-two of 100 third party payments were for authorized\nexpenses; the remaining 18 payments were not. Based on our testing, we estimate that\n12,529 payments with a value of about $1,584,556 were for unauthorized expenses. See page\n15 for the categories of authorized expenses. The DEA\'s Office of Finance will pursue\ncollection of improper payments identified in this report, as well as strengthen post\npayment audit procedures.\nThe requirements limiting the types of expenses are designed to ensure funds are not\nwasted. The unauthorized payments were for: (1) tolls claimed for travel not specified as\ngovernment or official business, (2) bottled water, and (3) travel expenses. The payments\nfor travel expenses included reimbursement for: (1) per diem, phone calls, and rental car\nin excess of allowable amounts; (2) air fare, automatic teller machine fees, and banquet\nfees not authorized per the travel authorization; and (3) expenses not supported by a\ntravel authorization or approved travel voucher.\nApprovals. Ninety-two of 100 third party payments were properly approved as\nevidenced by either a supervisor\'s, manager\'s, or auditor\'s signature; the remaining 8\npayments were not. Based on our testing, we estimate that 5,550 payments with a value of\nabout $791,989 did not include at least one required approval. See page 15 for a list of\nrequired approvals.\nThe requirements for approvals are designed to ensure expenses are legitimate and\nauthorized. The payments that were not approved were for: (1) travel, (2) training, and\n(3) office supplies.\nVoucher Packages. Nine of 100 third party payments were stamped "PAID"\nas required; the remaining 91 payments were not. Based on our testing, we estimate that\n63,103 payments with a value of about $21,850,057 were not stamped "PAID."\nAlthough we found no duplicate payments resulting from vouchers not being stamped\n"PAID," the requirement decreases the risk of loss from documents being used to\nsupport more than one payment.\nDEA Compliance Reviews\nOur findings, based on a nationwide review of the program, corroborated the results of\noffice-by-office compliance reviews performed by the DEA\'s Office of Finance. These\nreviews, performed by DEA accountants independent of the process and knowledgeable of\nproper management controls and financial systems, were conducted to determine if staff at\nthird party payment sites were following the DEA Manual. The reviews included a sample of\nchecks processed from June 1, 1993 through July 31, 1995. The reports, issued for each\noffice reviewed, cited the weaknesses, applicable policy, and recommendations for\ncorrective actions. Management at the third party payment sites provided written responses\naddressing the recommendations. The responses indicated an increased awareness and\nunderstanding of management controls. To reinforce the results of the reviews, DEA\nmanagement is revising the DEA Manual to eliminate confusing and conflicting information\nand to emphasize new policies and procedures for ensuring proper management controls.\nMany of the management control errors identified in our report were also identified\nduring the reviews. Prior to our audit, the DEA\'s Office of Finance had taken corrective\naction regarding stamping voucher packages "PAID." For the remaining controls of\nsupporting documents, authorized expenses, and approvals, the third party payment site\nmanagers agreed in writing to corrective actions. The Office of Finance is continuing to\nwork with the site managers to correct outstanding recommendations and to promote a clear\nunderstanding of management controls.\nBank Reconciliations\nThe Federal Managers\' Financial Integrity Act (FMFIA) of 1982 requires internal\naccounting and administrative controls to provide reasonable assurance that: (1) funds are\nsafeguarded against waste, loss, unauthorized use, or misappropriation; and (2) revenues\nand expenditures applicable to agency operations are properly recorded and accounted for\nto permit the preparation of accounts and reliable financial and statistical reports and\nto maintain accountability over the assets. DEA\'s FMFIA reporting identified\nnonconformances for bank reconciliations and classified the findings as "management\nconcerns."\nA key feature of internal accounting controls is the independent reconciliation of bank\nstatements and accounting records to ensure errors or irregularities are detected in a\ntimely manner. DEA Headquarters\' staff performed daily and monthly reconciliations of\nchecks paid by the bank with entries recorded in the DEA Accounting System (DEAAS). These\nreconciliations required agreement between the FMIS, DEAAS, Mellon Bank, and U.S.\nTreasury. In addition, funds were obligated in DEAAS, while checks were issued through the\nFMIS.\nDaily Bank Reconciliations: DEA performed daily reconciliations of: (1) checks\nissued to checks presented to Mellon Bank for payment, and (2) checks issued and presented\nto Mellon Bank for payment to DEAAS obligations.\nChecks Issued to Checks Presented for Payment. This reconciliation was designed\nto identify differences between checks issued through the FMIS to checks presented to\nMellon Bank for payment. JMD staff electronically reconciled the FMIS to the presented\nchecks and printed a report of differences. The report included differing check amounts\nand check numbers. DEA Cash Unit staff tried to resolve all differences the same day by\nfollowing up with the bank, reviewing FMIS, or reviewing the check at DEA Headquarters.\nErrors were corrected on FMIS, if necessary. The Cash Unit staff said the bank was not\nnotified of errors because the bank usually discovered mistakes. As of November 28, 1995,\nthe report listed no differences older than four workdays old; therefore, we considered\nthe differences timely resolved.\nUntil recently, DEA staff relied on the monthly reconciliations for identifying credits\ndue, such as for bank input errors. Because of the delayed acceptance of credits, funds\nhad to be paid from the Treasury earlier than necessary. In January 1996, the DEA began\nidentifying credits due on a daily basis.\nChecks Issued and Presented for Payment to DEAAS. This reconciliation was\ndesigned to (1) identify differences between checks issued and checks presented to Mellon\nBank for payment to DEAAS obligations and (2) ensure all daily transactions were entered\ninto DEAAS. DEA Financial Systems Unit staff electronically matched issued and presented\nchecks to DEAAS obligations and printed a report of differences. These differences\nincluded transactions rejected because of insufficient obligations or improper object\nclassification codes. DEA Cash Unit staff attempted to resolve the differences identified\nby the electronic reconciliation. However, the report did not identify all differences.\nDEA Cash Unit staff duplicated the electronic reconciliation with a manual\nreconciliation because checks issued and voided on the same day were not listed in DEAAS.\nAdditionally, when checks were voided in the FMIS after the date of issuance, DEAAS\nerroneously recorded the void date as the date the check was originally issued. DEA staff\nhad to override DEAAS to correct the date to the actual date voided. DEA Cash Unit staff\ntried to resolve all differences the same day by following up with the responsible third\nparty payment site or reviewing the check at DEA Headquarters.\nWe reviewed 12 daily reconciliations from FY 1995. As of January 30, 1996, 5 daily\nreconciliations had unreconciled differences for issued checks which ranged from $342 more\nin checks issued per DEAAS to $634 more in checks issued per FMIS. Differences for\npresented checks ranged from $1,004 more in checks presented per DEAAS to $1,607 more in\nchecks presented per FMIS. DEA staff said these differences had not been resolved because\nof oversight and lack of knowledge in handling the corrective accounting entries.\nMonthly Bank Reconciliations: Staff from DEA\'s General Accounting Unit performed\nmonthly reconciliations of: (1) DEAAS transactions to Mellon Bank for presented checks,\n(2) DEAAS transactions to FMIS issued checks, and (3) U.S. Treasury reimbursements to\nMellon Bank for paid checks. DEA\'s Cash Unit was responsible for resolving the differences\nidentified for issued and presented checks.\nThe monthly reconciliations of DEAAS to Mellon Bank and to the FMIS are essentially the\nsame as the daily reconciliation of DEAAS to Mellon Bank and FMIS. Therefore, if the daily\nreconciliations were timely performed and resolved, the monthly reconciliations would not\nneed to be performed.\nDEA\'s General Accounting Unit prepared a summary level reconciliation of all third\nparty payment schedules. The reconciliation of the U.S. Treasury to Mellon Bank was\ndesigned to ensure the DEA accurately reimbursed Mellon Bank for presented checks and that\ndaily reconciliations were being timely completed. Prior to our audit, DEA staff were not\nresolving the differences identified from this reconciliation. As of April 23, 1996, the\nGeneral Accounting Unit staff said all differences from October 1995 through February 1996\nwere resolved; the differences were primarily attributed to credits due. The differences\nfor the remaining FY 1995 reconciliations will be resolved as time allows.\nGiven the problems with password security, check stock security, and voided checks\ndiscussed below, the DEA should improve the reconciliation process by: (1) incorporating\nthe monthly reconciliation of Mellon Bank to Treasury into the daily reconciliations, (2)\nensuring the daily reconciliations are completed timely and all differences identified and\nfollowed up timely, and (3) eliminating the monthly reconciliations. The DEA would benefit\nfrom the increased control over cash.\nPassword Security\nDOJ Order 2640.2C, Telecommunications and Automated Information Systems Security,\nChapter 2, requires that USERID and password systems support the minimum requirements of\naccess control, and requires each user to have a unique user identification and password.\nThe JMD Handbook also requires that each Draft Technician have an individual USERID and\npassword. Each Draft Technician is required to have a unique USERID and password for\naccessing the FMIS Draft Module.\nDraft Technicians at seven field office each had unique USERIDs and passwords. However,\nDraft Technicians at the three remaining field offices said they shared USERIDs and\npasswords. In addition, at one of these field offices, the USERID, password, and\ninstructions for accessing the FMIS Draft Module was posted next to the computer used for\nissuing checks.\nThe FMIS includes a computer program that records logons. Each time a user ends an FMIS\nsession, a record is written to the accounting file. The accounting file contains the\nlength of time a user was connected to FMIS, but not the time of the logon and logoff. DEA\nManagement would be unable to trace errors or irregularities to a single user in the field\noffices with shared USERIDs and passwords.\nShared USERIDs and passwords compromise the management control of the third party\npayment system. Lack of control over USERIDs and passwords combined with posted\ninstructions for accessing the computer permits unauthorized access to FMIS. This in turn\ncould lead to unauthorized issuance of checks.\nThe DEA\'s Office of Finance identified shared passwords as a weakness at three third\nparty payment sites in FY 1995. During our audit we visited two of these sites and found\nthat passwords were no longer shared.\nSecurity of Check Stock\nThe DEA Manual and JMD Handbook requires blank check stock be secured from unauthorized\naccess and/or theft at all times. The blank check stock must be stored in a fireproof\ncontainer, at a minimum, and safeguarded until needed.\nBlank check stock was properly secured at four field offices. However, blank check\nstock was not stored in a fire-proof container and the storage area was not secured at the\nremaining six field offices. At three of the six field offices, blank check stock was\nstored in the original cardboard box on the floor of the imprest fund room. At the other\nthree field offices, blank check stock was stored in an unlocked file cabinet or safe. At\nall six field offices, the imprest fund rooms were unsecured during the day, but were\nsecured after business hours. The lack of security could lead to loss or theft of checks\nand unauthorized issuance of checks.\nDEA\'s Office of Finance identified unsecured blank check stock as a weakness at six\nthird party payment sites in FY 1995. During our audit we visited one of these sites and\nfound that blank check stock was still not properly secured.\nVoided Checks\nThe DEA Manual requires the Draft Technician to write or stamp "VOID" on the\nfront of the original check and all copies, preferably over the space provided for the\nsignature. In addition, all checks which are manually voided must be voided in the FMIS\nDraft module.\nWe reviewed 824 voided checks from a printout provided by JMD. Seven hundred and\nseventy three checks were manually voided. However, only 207 were voided across the\nsignature line. Of the remaining 566 checks, 564 were voided either partially or wholly\nacross the face of the check and 2 were voided across the check stub. Twelve checks were\nnot voided. In addition, 39 checks were not on file at the field offices; we could not\ndetermine if the checks were voided. For each of the 39 checks, we reviewed the bank\nstatements from the issue date to 180 days past the issue date, since checks are void\nafter 180 days. None of the 39 checks had been cashed.\nWe also reviewed 117 voided checks at the ten field offices to determine if they were\non the JMD printout. Seventy-five checks were not on the printout. Of the 75 checks, 20\nchecks were recorded in FMIS as "void", 12 checks were recorded in FMIS as\n"damaged", 6 checks were recorded in FMIS as "issued", 1 check was\nrecorded in FMIS as "cleared", while the remaining 36 checks were not recorded\nin FMIS. Of the 20 checks recorded as "void", 8 checks were voided outside of\nthe review period; therefore, they would not be on the JMD list. The remaining 12 checks\nwere voided during the review and should have been on the JMD list. For each of the 7\nchecks recorded in FMIS as "issued" or "cleared," we reviewed the bank\nstatements from the issue date to 180 days past the issue date. None of the 7 checks had\nbeen cashed.\nIf voided checks are not properly marked, they could be easily negotiated. Also, if\nvoided checks are not entered into FMIS, accountability over the issuance of such checks\nis jeopardized.\nConclusion\nIn summary, (1) supporting documents were missing from voucher packages; (2) expenses\nwere paid which were not authorized by the DEA Manual and JMD Handbook; (3) payments were\nmade which had not been approved by a supervisor, manager, or auditor; and (4) voucher\npackages were not marked "PAID." In addition, DEA staff conducting bank\nreconciliations did not follow-up on all the differences identified during the daily\nreconciliations. Finally, field office staff shared passwords, did not secure blank check\nstock, and did not properly account for voided checks. The causes for the above weaknesses\nranged from inadequate oversight to not being aware of or familiar with the controls in\nthe DEA Manual. The reasons were all indicative of management not stressing and\nreinforcing the third party payment controls.\nIn our judgment, the third party payment system can be an effective method to make\ndisbursements for imprest fund-type expenses, travel reimbursements, small purchases, and\ninvestigative expenses. However, DEA managers should improve management controls to\ndecrease the risk of waste, unauthorized use, or theft going undetected.\nPrior to issuance of this report, we discussed the finding with DEA management and\nobtained concurrence on each recommendation. The actions necessary for final closure are\ndiscussed following each recommendation.\nRecommendations\nWe recommend the Administrator, DEA:\n1. Reinforce requirements for supporting documents, authorized expenses, approvals, and\nstamping voucher packages "PAID."\nResolved. This recommendation can be closed when we receive documentation that\nthe requirements have been reinforced to DEA personnel.\n2. Streamline bank reconciliations by incorporating the monthly reconciliations into\nthe daily reconciliations and eliminating the monthly reconciliations.\nResolved. This recommendation can be closed when we receive documentation that\nthe monthly bank reconciliations have been incorporated into the daily reconciliation,\nthus eliminating the monthly reconciliation.\n3. Ensure bank reconciliations identify all differences and are timely completed.\nResolved. This recommendation can be closed when we receive documentation that\nDEA staff have been instructed to timely complete bank reconciliations and resolve all\ndifferences.\n4. Ensure each draft technician has a unique USERID and password.\nResolved. This recommendation can be closed when we receive documentation that\nunique USERIDs and passwords have been assigned to draft technicians at each third party\npayment office.\n5. Ensure blank check stock is secured from unauthorized access.\nResolved. This recommendation can be closed when we receive documentation that\nstaff at each third party payment office have been instructed to secure blank check stock\nin accordance with DEA requirements.\n6. Ensure voided checks are marked and are recorded in FMIS as void.\nResolved. This recommendation can be closed when we receive documentation that\nstaff at each third party payment office have been instructed to ensure that voided checks\nare marked and recorded in FMIS as void.\nSTATEMENT OF COMPLIANCE WITH LAWS AND\nREGULATIONS\nWe have audited the DEA\'s Third Party Payment System. The audit covered the period\nOctober 1, 1994 through the third quarter of FY 1996, and included a review of selected\nactivities and transactions.\nIn connection with the audit and as required by government auditing standards, we\ntested transactions and accounting records to obtain reasonable assurance about the DEA\'s\ncompliance with the laws, regulations, and the U.S. Treasury Financial Manual that we\nbelieve could have a material effect on the use of third party payments. Compliance with\nlaws, regulations, and sections of the U.S. Treasury Financial Manual applicable to the\nuse of third party payments is the responsibility of DEA management.\nAn audit includes examining on a test basis, evidence about laws and regulations. The\nspecific law and guideline for which we conducted tests are contained in:\n\xc2\xb7 the Federal Managers\' Financial Integrity Act of 1982, and\n\xc2\xb7 Section 3040.70, U.S. Treasury Financial Manual.\nExcept for the management control weaknesses identified in the Finding and\nRecommendations section of this report, the DEA complied with the requirements of the\nFederal Managers\' Financial Integrity Act of 1982 and Section 3040.70 of the U.S. Treasury\nFinancial Manual. With respect to those transactions not tested, nothing came to our\nattention that caused us to believe that DEA management was not in compliance with the law\ncited above.\n#####'